Tomcat Security

Hi, all. I'm trying to configure the security of my app using Tomcat but it's not working.

I have 2 jsps:

login.jsp main.jsp

my xml is:

The first page of my app is main.jsp. The constraint is on this .jsp but when the application starts, the login.jsp is not called. The browser throws an error. There is something wrong too because my port is :8080 and when I call this page, it redirects to :8443. The url wold be http://localhost:8080/MyApp Netbeans is redirecting to http://localhost:8443/MyApp

Thank's Ulf, it's working now. But now I have another problem. I called main.jsp, the app was redirected to login.jsp, I submited the user and password, the app was redirected to main.jsp again. I'm logged in Tomcat but I have to submit user and password to a servlet that connects the application to the database.

How can I do it? Thanks.

Ulf Dittmer
Rancher

Joined: Mar 22, 2005
Posts: 42954

73

posted Feb 22, 2008 13:44:00

0

What kind of username/password is this, or rather, who knows it? I assume it's different from the one used to log into the web app (at least it should be). If only the user knows it, then you need to put up a page containing a form that collects it from the user. If the system can look it up based on the Tomcat credentials, then, well, it can look it up and there's no need for the user to enter it.

The user have user an password in Tomcat and user and password in Oracle database. They are the same. My intencion is when someone type the url of the application (/MyApp/MainMenu.jsp), it's redirected to login.jsp. In this moment the page will submit the user and password to Tomcat. The action of the form is j_security_check. After submit this page, Tomcat will redirect again to /MyApp/MainMenu.jsp because the user tried to access it but it wasn't logged. In the MainMenu.jsp, the user will select a report to show. In this moment I will connect the user to the Oracle using Hibernate. For it, I have a Servlet named Authentication.class. It's the problem, how will I submit the user and password the user typed in login.jsp? I can't take the parameters because the action of login.jsp is j_security_check.

Ulf Dittmer
Rancher

Joined: Mar 22, 2005
Posts: 42954

73

posted Feb 23, 2008 15:10:00

0

First off, I'd keep the web password separate (and distinct) from the database password, and not tell the user their DB password. You can have the user log into the web app, and then look up their DB password from some secure storage. (It's more common to have just a single DB user for all web users, but that's a different discussion.)

If you are set on implementing what you describe, you'll need to do something server-specific, because there is no way to access j_security_check info using servlet spec-compliant ways. For Tomcat -which does not allow filtering of j_security_check- you could use a Valve, or create your own Realm that gives you access to the username/password. (An article I wrote for the JavaRanch Journal describes the Realm approach.) [ February 23, 2008: Message edited by: Ulf Dittmer ]